RiskWatch
RiskWatch International · Founded 1993 · Sarasota, FL, USA
Enterprise risk platform for consultancies: a global register with KRI auto-escalation, deployed single-tenant per client.
Summary
RiskWatch is an enterprise risk management platform built around a Global Risk Register that rolls up enterprise, IT, vendor, and physical risk into one view, with business-unit-to-enterprise aggregation a consulting firm can present to a client board. It runs a risk assessment engine with a KRI (Key Risk Indicator) library that auto-escalates a risk when it breaches its threshold, a treatment workflow with owner assignment and tasks tracked to closure, and native threat and vulnerability libraries that feed risk scores into heat maps and executive dashboards. Its differentiator is Risk-to-Compliance bi-directional mapping: audit findings flow back into risk scores and the register feeds control-assessment scope, so one engagement can run risk and compliance together rather than as two disconnected work streams. Pre-built control libraries for 40+ frameworks (ISO 27001, SOC 2, NIST 800-53, HIPAA, PCI DSS) sit underneath. For consulting firms the load-bearing fit is the deployment model: single-tenant deployment per client means each engagement gets its own isolated tenant, data residency, and audit trail, which simplifies client legal review and post-engagement handoff. Customers include state governments in all 50 US states, healthcare networks, and financial-services holding companies, and the product has been in the field since 1993. Physical, cyber, and compliance risk run in the same tenant, which suits security-consulting practices that bundle physical-security assessments with cyber engagements.
Strengths
- Global Risk Register consolidates enterprise, IT, vendor, and physical risk into one register with business-unit-to-enterprise rollup a consultant can present to a client board
- Risk assessment engine with a KRI (Key Risk Indicator) library and auto-escalation when a risk crosses its threshold, so breaches surface between assessment cycles
- Risk treatment workflow with owner assignment, tasks, and recommendations; native threat and vulnerability libraries feed heat maps and executive risk dashboards
- Risk-to-Compliance bi-directional mapping runs risk and compliance in one engagement: audit findings update risk scores and the register feeds control-assessment scope
- 40+ pre-built framework libraries with cross-mapping underneath (ISO 27001 / SOC 2 / NIST 800-53 / HIPAA / PCI DSS overlap is auto-detected, not manually built)
- Single-tenant-per-client deployment model lets each engagement have its own tenant, data residency, and audit trail
- Physical, cyber, and compliance risk run in the same tenant, useful for security-consulting firms; 33-year operating history means client procurement teams recognise the brand on RFP shortlists
- Survey-based assessment engine works for non-technical client control owners, with a published support tier ladder for fixed-cost retainers and vendor, policy, and compliance management as first-party modules
Weaknesses
- No formal published Partner Programme tier-page today; partner economics are negotiated case-by-case rather than self-serve
- Public pricing is opaque; RiskWatch is sold quote-only across every tier
- No native engagement-billing or time-tracking module; advisory firms layer their own PSA (Kantata, ConnectWise, Mavenlink) on top
Boutique GRC consultancies and Tier-2 advisory firms running 5-50 client engagements per year that want one global risk register per client, with KRI-driven escalation, treatment workflows, and board-ready heat maps, plus multi-framework compliance mapping and per-client data isolation on a 33-year vendor brand.
Big-4 advisory practices running Fortune 500 SOX engagements at scale; Optro carries more partner-network gravity for that brief.
Key features
- Global Risk Register with business-unit-to-enterprise rollup for client board reporting
- Risk assessment engine with a KRI (Key Risk Indicator) library and threshold auto-escalation
- Risk treatment workflow with owner assignment, tasks, and recommendations
- Threat and vulnerability libraries that feed risk scores, heat maps, and executive dashboards
- Risk-to-Compliance bi-directional mapping (audit findings update risk scores)
- Pre-built control libraries for 40+ frameworks (ISO 27001:2022, HIPAA, PCI DSS v4, SOC 2 TSC 2017, NIST 800-53 r5, NIST 800-171 r3, GDPR, CMMC 2.0, CCPA, SOX, FFIEC, NERC CIP), cross-mapped within and across client engagements
- Survey-based assessment engine for non-technical client control owners
- Evidence vault with versioning and audit-ready export per client
- Physical security assessment module (ASIS-aligned) for security-consulting practices
- Vendor risk management with BAA and SOC 2 tracking; policy management with approval and attestation workflows
- Single-tenant-per-client deployment for data-residency and client-legal-review requirements
Integrations
25+ native. Notable: Microsoft Entra ID (SAML SSO), Okta, Microsoft 365 / SharePoint, Slack, Jira, Salesforce, Custom REST API.
Target size
100 to 25,000 employees · US · Canada · EU · UK · AU